POPIA - pwc.co.za

Protection of Personal Information Act

POPIA

April 2021

PwC 3

Meet today’s team

Rutendo MusasaManager

Centre of Excellence

Khamiel ArendseDirector Lauren Kleintjies

Manager

Andrea BenkensteinSenior Manager

CoE Family Business

Ivo MeyerAssociate Director

Email: [email protected]

Tammy MarshmanModerator

Email: [email protected]

Charles FischerAssociate Director

Email: [email protected]

7

Timeline Objectives

1. Promote protection of personal information processed by public and private bodies.

2. Introduce conditions and establish minimum requirements.

3. Provide for establishment of an information regulator (incl. PAIA).

4. Provide for issuing of codes of conduct.

5. Provide for rights regarding unsolicited electronic communications and automated decision-making.

6. Regulate transborder flow of information.

Scope

It covers: enforcement, conditions, special information, Regulator, trans-border flows, automated decision-making and direct marketing.

When does it apply?• Public and private bodies.

• Natural and juristic persons.

• Automated and non-automated processing.

When does it not apply?• Household or personal use.

• De-identified data.

• Processed by Cabinet/ECs of provinces.

• Involves national security.

• Judicial functions.

• Journalistic, literary or artistic expression.

Consumer Protection Act

King III

Promotion of Access to Information Act

2001Constitution

1997

Electronic Communications and Transactions Act

2002

Regulation of Interception of

Communications and Provision of

Communication-related Information Act

2005

Remainder of sections of the Act enacted with 12 months grace to comply

Protection of Personal Information Act signed into law

National Credit Act

2006

2010

2011

2013

2020 - July

Brief overview of POPIA

PwC

‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;(b) information relating to the education or the medical, financial, criminal or employment history of the person;(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;(d) the biometric information of the person;(e) the personal opinions, views or preferences of the person;(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;(g) the views or opinions of another individual about the person; and(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;”

8

Privacy basics - What is personal information?

PwC

‘‘data subject’’ means the person to whom personal information relates, and can be a natural or juristic person

9

Privacy basics - Who is the data subject?

PwC

10

Individual’s rights and obligations

There needs to be balance of interests with respect to collection,

use, disclosure and disposal of personal information.

Organisation’s rights and obligations

Privacy basics - Data privacy - A balance of rights

PwC

11

Responsible Party

Operator

Privacy basics - Who is regulated?

PwC

Key insight:An organisation need to determine the circumstances in which it is a Responsible Party, and

when it is an Operator.

12

‘‘processing’’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including -(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;(b) dissemination by means of transmission, distribution or making available in any other form; or(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;

Create and collect

Use and analyse Share and transfer

Store and archive

Maintain and update

Destroy and erase

Information lifecycle

Privacy basics - What is processing?

PwC

Key insight:Principle of ‘reasonableness’ will apply.

13

POPIA prescribes eight conditions for the lawful processing of personal information:

Purpose specificationPersonal information may only be processed for specific, explicitly defined and legitimate reasons.

AccountabilityThe organisation has measures in place to ensure that it complies with the requirements of POPIA.

Processing limitationPersonal information may only be processed in a fair and lawful manner.

Further processing limitation Personal information may not be processed for a secondary purpose unless that is compatible with the original purpose.

Data subject participation Data subjects’ rights to access, update, correct, and delete their personal information must be upheld.

Information qualityPersonal information must be accurate, complete and up to date.

OpennessThe organisation provides adequate notice regarding its processing activities.

Security safeguardsPersonal information must be protected against the risk of loss, unauthorised access, interference, modification, destruction and disclosure.

Lawful processing of information

PwC

14

POPIA creates special obligations for the processing of specific types of data or the performance of particular processing activities that organisations will need to consider.

Processing special personal information (including race, health, sexual orientation, biometric information etc.) requires extra vigilance.

Cross-border transfers of personal information (i.e.

the transfer of personal information from South

Africa to another country) require additional

protection measures.

Direct marketing (electronic and unsolicited) requires organisations to

have measures in place for data subjects to opt-in and

opt-out.

Processing the personal information of children (under

18 years) requires the informed consent of a competent person

(e.g. parent) to be obtained.

Direct marketing

Children’s personal information

Sp

ecia

l per

son

al

info

rma

tion

Cross-bord

er tran

sfers

Special processing requirements

PwC

15

A data subject may not be subject to a decision which results in legal consequences or which affects him, her or it to a substantial degree, based solely on the basis of automated processing of personal information intended to provide a profile of such a person.

Exceptions:

In connection with the conclusion or execution of a contract where the request of the data subject in terms of the contract have been met or measures to protect the legitimate interests of data subjects have been taken;

or

Where such processing is governed by a law or code of conduct that protects the legitimate interests of data subjects.

Automated decision-making

PwC

16

Financial fines(up to R10 million per breach)

Imprisonment(up to 10 years)

Reputational damageLoss of customers

and employees(and failing to attract new ones)

Civil liability claims Enforcement notices

What happens if you do not comply?

PwC

17

Profile Description Problem statements

The ostrichIgnored POPIA until now and was hoping it would never be announced. Now is in a state of panic.

Doesn’t understand the applicability of POPI and the implications of implementing the requirements.

The woodpeckerLooking for a quick fix and wants to use templates to do the minimum to be compliant.

Typically thinks that implementing POPIA can be done through templates only might not ensure compliance.

The eight-eyed spiderDisjointed program without a central coordinated approach to ensure initiatives are aligned.

Can be wasting time by not following a risk-based and structured approach. Needs a clear roadmap.

The clever owlKnows what is required but doesn’t know how to implement it.

Laid the foundations for privacy but followed a theoretical approach and doesn’t know how to operationalise and make compliance sustainable.

The blind moleTasked either IT or Legal to run with it without involving the rest of the business.

Doesn’t know it has a problem and is overconfident. Needs to consider people, process and technology as part of implementation

The octopusOperating in multi-jurisdictions. Doesn’t know which regulation to comply with. Needs to

do a proper mapping and prioritise relevant legislation to comply with first, based on risk assessment.

Readiness profile of your organisation

PwC

The POPIA compliance journey

PwC 18

Understand the applicability of the law

01Classify and map your personal data

03 05Ensure purpose and limitation

02Ensure accountability

Ensure openness

Ensure data subject rights

04 06

07Data breach management

09Management of personal data with data quality

Data security safeguards

0810Further processing with care

The POPIA compliance journey

PwC 19

What should your priorities be for the next three months?• Define what ‘material compliance’ means to you, e.g.

- Review your POPIA compliance risks.- Distinguish between mandatory requirements according to POPIA vs

good practices.- Go manual; you can later automate and look for efficiency in

processes.• Review your implementation plan, and reprioritise implementation

activities and information assets in scope, if necessary.

• Get your internal auditors involved early on to test effectiveness of measures implemented to date and help guide with priorities.

Accelerators for implementing POPIA

PwC 20

What can you do if you have not yet started?• Depending on the size and complexity of your business accept that you will not be

‘materially’ compliant by 30 June.• You can’t ignore POPIA; you might as well start now.• Develop a medium to longer-term implementation plan, even if surpasses 30 June.• For next 3 months prioritise POPIA requirements in highest risk areas/information assets

• Update policies, forms and websites with POPIA clauses.• Put measures in place to prevent a data breach.• Register an Information Officer • Provide for POPIA awareness training.• Stop collecting PI that you don’t need.• Put contracts in place with key third-party operators.

Accelerators for implementing POPIA

PwC 21

Thank you

“The information contained in this publication by PwC is provided for discussion purposes only and is intended to provide the reader or his/her entity with general information of interest. The information is supplied on an “as is” basis and has not been compiled to meet the reader’s or his/her entity’s individual requirements. It is the reader’s responsibility to satisfy him or her that the content meets the individual or his/ her entity’s requirements. The information should not be regarded as professional or legal advice or the official opinion of PwC. No action should be taken on the strength of the information without obtaining professional advice. Although PwC take all reasonable steps to ensure the quality and accuracy of the information, accuracy is not guaranteed. PwC, shall not be liable for any damage, loss or liability of any nature incurred directly or indirectly by whomever and resulting from any cause in connection with the information contained herein.”

© 2021 PwC Inc. [Registration number 1998/012055/21] (“PwC”). All rights reserved.PwC refers to the South African member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.co.za for further details.